Splunk Search

How to search the total number of users per day?

sim_tcr
Communicator

Hello,

I have a field where the user names are recorded. I want to display a timechart with total number of users for a day.

user
------
user1
user2
user5
user6
...
...

Please help me construct the search

index="_internal" sourcetype=splunk_web_access source="/apps/splunk/var/log/splunk/web_access.log" 

Thanks,
Simon Mandy

0 Karma
1 Solution

javiergn
Super Champion

If you want total number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count(user) as total_users

If you want distinct number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d dc(user) as distinct_users

If you want the count per user:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count as count_user by user

View solution in original post

javiergn
Super Champion

If you want total number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count(user) as total_users

If you want distinct number of users:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d dc(user) as distinct_users

If you want the count per user:

index="_internal" sourcetype=splunk_web_access
| timechart span=1d count as count_user by user
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...